Fog Creek Software
Discussion Board




Product Liability and Certified Software?

All the recent fandango has brought to mind a couple of points that I have been pondering for some time. I thought I'd post the to JoS as the quality of comment is usually much higher than other forums, and I'd appreciate people's considered thoughts.

1. As software engineers, we all know that the majority of exploitable faults in software can be avoided if due diligence is applied in design and implementation of systems. I think, therefore, it is fair to argue that the underlying reason why it is possible for 'malware' to replicate and spread is simply negligence on the part of software vendors.

Viruses spread because the 'cyber-environment' into which they are released is currently so benign; the failure of infrastructure vendors to treat security as a primary requirement means that internet is like a petrie dish full of culture medium, whereas is should one full of disinfectant! To propagate viruses must infect one of the common software systems - the OS, web servers, e-mail services, databases etc. If the vendors of these products were obligated to make life seriously difficult for viruses, then, I believe, the incidence of virus creation would fall dramatically, not least because script kiddies would simply not bother. The fact that is that vendors of such products simply do not seem to be sufficiently focused to apply present art in security to their products. This is recklessness that, as others are reliant upon their skills, is arguably negligent.

Why is it then that they seem to be immune to the application of product liability laws by customers who have been financially harmed by their attitude? When Ford sold the famous exploding Pinto knowing it had a design fault they got hammered. Likewise the US general aviation industry (Cessna, Piper etc.) was very nearly bankrupted by liability for products designed and sold years before. More recently the saga of Ford Explorer tyres comes to mind.

I realise that there is a huge difference between injury or loss of life and mere financial damage, but in terms of economic impact I would have thought that a single serious virus has greater effect. Given the millions of dollars of expenditure applied by US industry in patching systems and installing AV software, firewalls etc., not to say the lost revenues when systems are breached, I am very surprised that vendors haven't been the target of massive product liability cases.

I also appreciate that most software licences attempt to limit liability, but I would have thought that at least Microsoft's licence might have been pregnable on the grounds that rejection of liability by a (convicted) monopolist constituted an unfair contractual term. After all, to whom, realistically, can one turn for a PC operating system?

Beyond this, if such licence terms are enforceable, why is industry not lobbying for legislative changes to render such terms illegal? In the UK, for example, there are circumstances under which you cannot avoid liability and any terms attempting so to do would be struck down by a Court.

2. It clearly approaching the point where the availability and security of the internet is as important to people as power, transport and communications, all areas of life that are highly regulated. In the UK (and I expect elsewhere) it is illegal to drive a car that is not roadworthy. Likewise one cannot sell uncertified electrical goods or telephones. In all these cases the certification is performed by a 'competent person', which in reality means someone holding a professional certification.

Why not, therefore, extend this to the internet? Make it an offense to connect to the internet any software system that has not been certified by a competent person as meeting agreed security standards. As the vast majority of people or businesses use shrinkwrapped software, such as action would affect very few people. By making software engineers behave as proper engineers, i.e. as chartered professionals taking responsibility for their own actions, in the same way as civil or structural engineers, the cost burden on those businesses who do write software would be minimal.

David Roper
Monday, August 25, 2003

Well, how about we let the market decide...  and, even in this scenario there is certainly room for product liability suits - namely the analog to Ford Explorers tippiing over is IIS vulnerability.  Corporations can either decide they've had enough, and boot Redhat at their next opportunity, or they can sue Microsoft for breach of contract and/or seek damages for lost revenue.

Personally, I can think of no quicker way to kill open source projects than a scheme as you've mentioned.

take your protein pills and put your helmet on
Monday, August 25, 2003

==> More recently the saga of Ford Explorer tyres comes to mind.

The car (tires) in and of themselves went bad. I drove the car, tire blew out and killed me. Herein lies the difference. Running the OS (in and of itself) causes me *no* loss. Just because I run an insecure OS, doesn't mean the box will crash (all BSOD jokes aside). Somebody has to actually write the darned virus/worm/malware to exploit that box. There's the problem. Liability lies with the author of the malware.

Let me ask you this. We're talking security here. Can you sue Ford, when someone breaks into your car? Sure you can but it's not likely you'll win. They're selling you an inherently insecure product (similar to the OS). The exploits for a car's security are well known (jimmy the lock from the window pane, pick the lock, throw a brick through the window). Anyway, your Ford is inherently insecure (as the OS is). Let's say someone breaks into your car and <whatever>. Are you going to sue Ford? Nope. You're gonna sue the guy that broke in. Same for malware. It's the guy that "broke-in" who is the (I believe the proper legal term is) "proximate cause" of the action.

There may be some "contributory negligence" on the part of the OS vendor (everything's arguable) -- but you waive any rights (to be able to sue them) by agreeing to the EULA when you install the OS.

Just my opinion. You can tell it to the judge and see what he says. Feel free to file suit against MS and keep us posted on how it comes out <grin>

Sgt. Sausage
Monday, August 25, 2003

Put it this way: if you leave your car in the supermarket parking lot with the doors unlocked and the engine running, it is STILL a crime for anyone to steal the car.

Now if you sell a car where you can't lock the doors or stop the engine except when you're in your garage, then all other factors being equal, your car won't sell.

But if you're selling a 2004 Honda and the only competition is 1934 Model A's or 1960 MGB's that you have to build yourself, you will probably do very well.

Philo

Philo
Monday, August 25, 2003

The car analogy is a good one, but here are a few other things to think about.

Does a car buyer have a reasonable expectation that the car can not be broken into? Of course not. A reasonable person knows this.

Does a person buying an operating system have a reasonable expectation that their OS is safe? Hmmmm...Now you and me know better, but what about "ma and pop". It could be argued that they had a reasonable expectation that the software was safe from outside attack.

It really isn't a black a white issue to people outside of our industry. And guess what? The scumbag lawyers who would love to raid MS coffers are outside of our industry.

I don't favor a lawsuit against MS for the simple reason it just waste money and time. On the other hand, MS needs to work a lot harder to ensure the security of their operating systems.

As it stands now, MS seems to have a "well, if there is a flaw then some hacker will find it. Go ahead and ship it!"

It's this mentality that will cause people to go after blood when they lose all their photos of Fifi because MS just didn't care enough to bother to write better code.

Not me.
Monday, August 25, 2003

"On the other hand, MS needs to work a lot harder to ensure the security of their operating systems."

Uh, they are. That's why the security bulletin which preceded the slammer attack and the bulletin which preceded this month's attack.

How about this - create a company to sell email server software. You *cannot* ship the software until you are 100% positive there are zero security vulnerabilities in the software. If you ship a server that has even the tiniest vulnerability, the federal government will come and take all your assets, corporate and personal.

Are you willing to take on the task? Or are you more likely to say "forget it, it's not worth the risk"? And that's just an email server using a 20 year old protocol.

I'll say "with spectacular success comes the potential for spectacular failure" and "when you're on top, everyone wants to pull you down"

Windows isn't more secure than Linux. The question is "is it secure enough for what it does?" Go check the size of the virus list and consider that there was only one major outbreak this year, and that was only after MS told the virus writers where to look.

Philo

Philo
Monday, August 25, 2003

Once again, here in Germany the vendor of a commercial software product is liable for any direct damages which occur by using the product. "No warranty/liability" terms in e.g. Microsoft's EULA are not valid here. The only reason why nobody has sued them so far is because average John Doe cannot afford to do so, and big corporations here get excellent support by Microsoft, so they have no reasons to complain.

Johnny Bravo
Monday, August 25, 2003

"Corporations can either decide they've had enough, and boot Redhat at their next opportunity, or they can sue Microsoft for breach of contract and/or seek damages for lost revenue."

I think its very short sighted to see the problem of software being sold "as is" as a purely microsoft problem.

"Personally, I can think of no quicker way to kill open source projects than a scheme as you've mentioned. "

As Open source advocates say when someone who favours other computer software business models complains, "So? If your software is good enough it will still compete. Survival of the fittest man"

Robert Moir
Monday, August 25, 2003

Philo,

You have a good point, but I think it's laughable to suggest that MS is even close to being a company that gives anything beyond lip-service to security.

I'd be happy if MS made a bona-fide effort to ship secure software. Just looking at the *mountains* of patches and hot-fixes that MS has released this year paints a pretty grim picture of the true security initiative inside MS. They still just don't really care. If they did, we wouldn't have a lengthy list of fixes and patches like we do today.

Sure, "leaking" Bill Gates memo on security is great for a little PR, but that is about all it was.

I do believe that security will eventually become a real concern at MS and very likely already has. However, it's not evident in the operating systems that the are shipping today. Longhorn will be a good indicator if they really "get it" or not.

Not me.
Monday, August 25, 2003

Not me - you wanna hate Microsoft, I'm not going to change your mind. I'll just advise you that you're wasting time and effort - ABMers already agree with you, MS-only types won't listen, and the few people in between won't take you seriously when you resort to hyperbole and obviously don't feel like actually discussing the issue.

This comment: "I think it's laughable to suggest that MS is even close to being a company that gives anything beyond lip-service to security" shows that you simply do.not.get.it. If there are enough security problems, Microsoft *will* lose market share. And they care about that very, very much.

Philo

Philo
Monday, August 25, 2003

Would you like to cite an example of an OS that doesn't have a "mountain of patches" (one that isn't a simplistic embedded OS)?

Microsoft's OS security is really no worse than any other system of similar complexity, it just seems worse because it is a bigger target. 

The reason you can't find commercial games to play on Linux is the same reason you see few "in the wild" exploits for bugs that do exist (if you think Linux doesn't have a "mountain of patches", go look at the RedHat security/errata page).

Also, in my experiece, the people who clamor for super-duper OS security would be the same ones who are whining later when the OS is very secure but costs $1000 per seat.

Engineering doesn't come for free, and proper security engineering is very difficult work.  For a ~100$ product, Windows XP Home Edition is ridiculously secure.  If your security needs are such that Windows doesn't fit the bill, I'm sure the speciality shops that work on life-or-death software can build you something better if you don't mind paying millions of dollars and losing much of the convience a modern OS gives you.

Mister Fancypants
Monday, August 25, 2003

Philo,

Where did I resort to hyperbole? Where did I say that I "hate Microsoft".

I merely stated my opinion without resorting to the tactics of the Slash.org crowd and you responded just like one. Bravo for you.

Not me.
Monday, August 25, 2003

Fancy Pants,

You're confusing two concepts. One is of a ultra-secure operating system; the other is an operating system that isn't rife with bugs that leave the OS open to attack.

The latest flaw in Windows wasn't due to a poorly thought out security plan. It was due to a simple programming mistake in the way that DCOM worked. Some of the Windows vulnerabilities come from things as simple as Media Player.

The problem with Windows isn't the lack of security features. It's the poorly written code in the operating system that exposes the user.

Microsoft does not have a focus on quality. Just like the lumbering automotive giants didn't care about quality in the 60's, Microsoft's market presence has lured them into being lazy when it comes to shipping quality code.

Not me.
Monday, August 25, 2003

Not me, I think your main problem is that you are overly trivializing how difficult a problem it would be to make a product the size of windows secure.  Windows and all the associated software is a *giant* amount of code.  I doubt that it is really any more buggy or less secure than any other system of similar size.

It's really a problem with the industry in general, not with MS.  We are starting to learn and implement practices that improve the quality of code, but we have a long way yet to go.

I tend to agree that software producers should have some degree of liability for their products.  It is hard for me to say right now though how much is reasonable.  It's not enough to say "the company is fully responsible for what they produce, period."  You have to take into account what is actually a reasonable level of achievement.  Sure we could make companies fully liable for their software.  The only thing that would come of that is US software companies would shut down left and right.  Software development just isn't at the level yet where it would be a reasonable risk for the company to continue production.

Mike McNertney
Monday, August 25, 2003

Not Me,

Still waiting for your example of who in the industry is hitting a market similar to Windows but also creating a secure OS.  If you name one, please make sure it isn't one to which I can easily post a link that lists the hundreds of bug patches it has had in the past.

Still waiting...

Mister Fancypants
Monday, August 25, 2003

Fancypants,

Precisely what is your point? Is your point that an OS is complex and therefore security vulnerabilities are just part of the territory? What a visionary you must be.

To me, that is just a lame argument. "It's big and complex boss; it's just gonna have tons of vulnerabilities."

I don't subscribe to the notion that just because something is complex that it must be rife with bugs and vulnerabilities. I just don't accept that.

I also don't accept the notion that in order to make quality software it has to cost a zillion dollars. I'm not suggesting that MS should make Windows 100% bug free. Obviously, this would raise the cost beyond what the market will bear.

They can do better with the resources they have. I sit in amazement at people like you who defend the status quo of poorly written software.

Not me.
Monday, August 25, 2003

Some of you just don't get it.  Microsoft converts code to dollars.  They'll fix as many critical bugs as necessary to keep their market share, but they're not going to fix every single bug simply because it doesn't make business sense.  Microsoft doesn't make good or bad software out of the goodness of their hearts.  I think alot of people miss that. 

Sure Microsoft can fix all the bugs in Windows and then double the price.  Are they going to make more money? No.  Why not you ask?  Because some really intelligent people in Microsoft's non-technical departments have figured out that churning out new products makes alot more financial (profit) sense than fixing stuff they've already sold. 

When people accept being charged for updates, you'll see Windows get much more secure because in releasing patches and so on, it will become a profit-making service.  "But I don't feel I should have to pay for bug fixes."  Then obviously you either A) don't think it's valuable enough or B) you think fixing bugs is free.

I don't think I should have to pay for that alarm in my car.  VW knows about the the problem with glass being so fragile and people can break into my car.  Also, if and when someone does break into my car by breaking a window, VW should pay for the replacement...

GiorgioG
Tuesday, August 26, 2003

Giorgio, you're more or less right but you missed something:

Consumer versions of Windows *are* getting a lot more secure.  People can gripe all they want about the security issues in XP, but it is a step up from 2000 which itself was a huge step up from 9x/ME.

This is a big benefit of Microsoft moving to a shared codebase (not split like 9x/NT were). 

Microsoft has a financial incentive to make the XP/2003/Longhorn/etc kernel secure because at the high end the servers are meant for heavy enterprise work, where they MUST be relatively secure to compete.  By merging the codebase the way they have, almost everything they do to secure the OS at that level filters back into the home editions, since they are based on a mostly unified codebase.


Not Me,

"I'd like cars that go 2000 miles per gallon of gas..no, make that 2000 miles per drop of water. Yeah, that's what I want.  Just because nobody makes them doesn't mean it isn't possible.  I hate when people defend the status quo horrible state of car mileage!  Oh yeah and those cars better cost no more than $100."

That's about the same thing as what you're saying.  In my experience the "software should be a lot more secure" folks tend to be sysadmin/network admin/perl script coders who haven't written a sizable system for any purpose, so I guess I have to overlook how naive they are about how truly complex software development is, particularly when one can not control all the software (have to rely on OS APIs, third party APIs, etc) or use a fixed hardware platform (like embedded systems or game consoles).

Mister Fancypants
Tuesday, August 26, 2003

Giogio wrote:

"... Microsoft converts code to dollars.  They'll fix as many critical bugs as necessary to keep their market share, but they're not going to fix every single bug simply because it doesn't make business sense.  Microsoft doesn't make good or bad software out of the goodness of their hearts.  I think alot of people miss that. 

Sure Microsoft can fix all the bugs in Windows and then double the price.  Are they going to make more money? No.  Why not you ask?  Because some really intelligent people in Microsoft's non-technical departments have figured out that churning out new products makes alot more financial (profit) sense than fixing stuff they've already sold"

This is the nub of the problem. The trouble is that when a monopoly supplier takes this attitude it is the consumer at large that suffers. I ask myself the question, do consumers at large really need many of the 'innovative new features' that seem to justify each new release of Windows, or do we actually need simpler, more stable, more secure versions? What fundamental purpose is met by, for example, .NET over and above the RPC and distributed platform technologies that already existed. Microsoft deliberately chose to introduce a whole slew of new code (and inevitably new vunerabilities) over and above fixing problems. Imposing product liability, or some other form of regulation, would shift the balance so that aims of "the really intelligent people in Microsoft's non-technical departments" were more closely aligned with those of the consumer.

I'm not blaming Microsoft for acting this way any more than I blame a fox for killing my chickens; it's simply the response of the organisation to the market in which it operates. Likewise, Microsoft are not the only company that suffers from this problem, its just that the desktop operating system market is *much* less competitive than that for databases or other infrastructure product. This is why I feel that the only way to achieve decent, consistent  levels of quality is to change the nature of the market.

David Roper
Tuesday, August 26, 2003

David,

are you arguing that MS became focused on providing "innovative new features" once they they were labaled with a certain market share % in a paricular market analysis?

Just me (Sir to you)
Tuesday, August 26, 2003

"The car (tires) in and of themselves went bad. I drove the car, tire blew out and killed me"

You're looking remarkably well, considering.


Tuesday, August 26, 2003

>Consumer versions of Windows *are* getting a lot more secure.  People can gripe all they want about the security issues in XP, but it is a step up from 2000 which itself was a huge step up from 9x/ME.

Mr Fancypants,

That's my point though, Microsoft will make incremental fixes as new products roll out.  Microsoft doesn't have a problem making things more secure in the next release of Windows because that will be a selling point.  If they up and fixed everything in Windows 2000 or XP, why would anyone buy/upgrade? ;-)

GiorgioG
Tuesday, August 26, 2003

Why is that people get so angry when it comes to discussing Microsoft? Both Philo and Mr. Fancypants have acted as if I just crucified their cat in front of them.

As to your car analogy, Mr. Fancypants. It's flawed for one very obvious reason. In order to squeeze that kind of mileage out of car isn't a question of *quality*, it's a question of engineering.

For Microsoft to ship better code isn't a question of engineering, it's a question of quality.

See the difference?

Really though, if having a intelligent, rational discussion on Microsoft taxes your emotions, then it's best we just leave it at that.

Not me.
Tuesday, August 26, 2003

> I don't subscribe to the notion that just because something is complex that it must be rife with bugs and vulnerabilities. I just don't accept that.

> I also don't accept the notion that in order to make quality software it has to cost a zillion dollars.

> ... the status quo of poorly written software.

Not me, the mind boggles.


Tuesday, August 26, 2003

"Not me, the mind boggles. "

Given your incoherent post that lacked a point, it isn't surprising you are confused. Not at all.

Which part confused you? That software today is largely a heaping pile of crap? Or that it doesn't have to be that way?

Not me.
Tuesday, August 26, 2003

*  Recent Topics

*  Fog Creek Home